Supabase can use anonymized and aggregated data derived from your data and usage to improve and analyze its services, and this derived data is treated as Supabase's own intellectual property.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Even though Supabase does not claim ownership of your raw customer data, it retains rights to insights and analytics derived from that data, which is a common but material practice in cloud service agreements that customers should factor into their own privacy disclosures.
Interpretive note: The adequacy of anonymization is not defined in the agreement; whether derived data meets GDPR or CCPA deidentification standards depends on implementation details not disclosed in this document.
The relocation of Supabase's legal entity from Delaware to Singapore may affect which jurisdiction's courts and laws apply to disputes, potentially impacting your ability to pursue claims in US court…
Data about how you and your users interact with Supabase's platform can be aggregated and used by Supabase indefinitely as its own intellectual property, even after your subscription ends. Customers with strict data minimization obligations under GDPR or sector-specific regulations should assess whether this derivation is disclosed in their own privacy notices.
How other platforms handle this
You retain any and all of your rights to any content you submit, post or display on or through the Services ('User Content') and you are responsible for protecting those rights. By submitting User Content through the Services, you hereby grant to Unity a non-exclusive, worldwide, royalty-free, fully...
As between you and AWS, you own your Content. We do not claim any ownership or control over your Content or the outputs generated through your use of Amazon Bedrock.
As between you and Anthropic, and to the extent permitted by applicable law, you retain any right, title, and interest that you have in the Inputs you submit. Subject to your compliance with our Terms, we assign to you all of our right, title, and interest—if any—in Outputs.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
""Aggregated Data" means data and information related to or derived from Customer Data or Customer's use of the Services that is used by Supabase in an aggregate and anonymized manner, including to compile statistical and performance information related to the Services. [...] "Supabase IP" means the Services, the Documentation, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Supabase IP includes Aggregated Data and any information, data, or other content derived from Supabase's provision of the Services but does not include Customer Data.— Excerpt from Supabase's Supabase Terms of Service
REGULATORY LANDSCAPE: The Aggregated Data provision implicates GDPR Article 5 (data minimization and purpose limitation) and Recital 26 (anonymization standards), as well as CCPA definitions of deidentified data. The adequacy of Supabase's anonymization methodology is not described in this agreement; customers acting as data controllers bear responsibility for ensuring downstream processing by processors meets applicable standards. The DPA referenced in the agreement should address this processing basis. GOVERNANCE EXPOSURE: Medium. Classifying derived data as Supabase IP is standard in cloud service agreements, but the scope of 'derived from Customer Data' is broad and could encompass behavioral patterns, query structures, or usage metrics that indirectly reveal customer or end-user information if re-identification risk is not adequately managed. JURISDICTION FLAGS: GDPR's standard for anonymization is high; data that fails the anonymization test under GDPR remains personal data subject to full regulatory obligations. California's CCPA defines deidentified data with specific technical and contractual safeguards. Healthcare customers subject to HIPAA should assess whether derived data could constitute de-identified PHI under the Safe Harbor or Expert Determination methods. CONTRACT AND VENDOR IMPLICATIONS: The DPA should be reviewed to confirm whether Aggregated Data processing is addressed as a permitted purpose or reserved right, and whether customers receive any transparency about how aggregation and anonymization are implemented technically. The IP classification of Aggregated Data means customers cannot later claim ownership or seek deletion of this derived data. COMPLIANCE CONSIDERATIONS: Customers should update their own privacy notices to disclose that their cloud service provider may derive aggregated analytics from their data; review the DPA for anonymization standards and audit rights; and assess whether the Aggregated Data carve-out is compatible with their data processing agreements with their own customers.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Even though Supabase does not claim ownership of your raw customer data, it retains rights to insights and analytics derived from that data, which is a common but material practice in cloud service agreements that customers should factor into their own privacy disclosures.
Data about how you and your users interact with Supabase's platform can be aggregated and used by Supabase indefinitely as its own intellectual property, even after your subscription ends. Customers with strict data minimization obligations under GDPR or sector-specific regulations should assess whether this derivation is disclosed in their own privacy notices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.